Why mitigating cyber risk needs to start from the top in Australia’s insurance sector

Why mitigating cyber risk needs to start from the top in Australia’s insurance sector | Insurance Business Australia

Why mitigating cyber risk needs to start from the top in Australia’s insurance sector

Around the globe, cyber-security threats are real and rising and Australia’s insurance sector is far from immune.

Maintaining effective defences has become a strategic challenge for insurers and insurance brokerages around the country.

Australia’s general insurance industry is worth $63 billion a year and is dominated by established local brands, including Allianz, Insurance Australia Group, QBE and Suncorp.

The country is also home to more than 350 brokerages which process over $19 billion in general insurance premiums each year, according to the National Insurance Brokers Association.

The plethora of sensitive customer data insurers and brokers have in their possession – think health records, credit ratings, driver’s licence numbers and the like – is of considerable value to hackers looking to appropriate and misuse it for financial gain.

Individuals’ personal information can be sold for a profit on the dark web: the underground marketplace where high tech scammers obtain the data they need to commit identity fraud, typically for the purpose of acquiring goods and services illegally.

Mitigating cyber-risk effectively calls for a top-down approach, with buy-in and support from senior executives from across the organisation.

Scoping out the challenge

The past two decades have seen information technology undergo an extreme transformation. Once synonymous with processing power in the data centre, it’s now engrained in almost every aspect of daily life, at home and at work. That’s resulted in a change to the threat landscape.

Once a rarity, cyber-security incidents are now unremarkable and managing the risks associated with them has become part and parcel of running an insurance business, rather than merely an issue for the tech team.

For some insurers and brokers, the challenges of implementing effective cyber-security practices are exacerbated by the legacy solutions that are still in use – aging equipment and core infrastructure that can be difficult to patch and protect.

Getting the board on board

Unfortunately, executive-level discussion about cyber risks tends to revolve around fear, in many insurance businesses. Attention is typically focused on the dire implications of an attack and the fallout it could cause.

Often, security professionals will present alarming data about the rates of attack and the extent of potential damage. Their overriding message is that, if everything is not fixed quickly, the organisation could find itself in real trouble.

A more constructive focus would be on how, beyond reducing the threat level, becoming proactive about cyber-security can benefit an insurance business more broadly, by bolstering its reputation for being a ‘safe pair of hands’.

Integrity and prudence are both considered highly desirable attributes in insurers and brokers and can be key criteria for Australians when purchasing insurance cover in a competitive market.

Conversely, insurance businesses which come to be perceived as ‘seat of the pants’ operators may experience a corresponding drop-off in confidence and custom.

Insurance businesses also need to consider cyber risk from a legal perspective. In common with other organisations, they need to comply with the Australian Privacy Principles laid down by the Office of the Australian Information Commissioner.

Insurance businesses which arrange or issue policies for individuals hailing from EU countries are also subject to that bloc’s stringent GDPR regulations. These regulations extend to all organisations which hold the personal data of EU citizens, regardless of geographic location.

Insurance businesses also have a duty to manage the level of cyber risk faced by their organisations and should keep the reasonableness test front of mind when assessing their planned level of action.

This is important because risk reduction steps that would be deemed reasonable today are very different from what they were 10 years ago. Decision makers need to ensure their responses are evolving over time and commensurate with current threat levels.

A problem for the business, not the IT department

Viewing cyber security as a technology problem, rather than a governance problem, is a mistake. Insurance businesses which take that approach and postulate that the purchase of another new piece of technology will solve the problem perpetrate the myth that it’s possible to buy your way to safety.

And a myth it is. While products are clearly an essential piece of the security puzzle, it’s vital organisations develop much broader strategies to deal with rising threat levels.

Creating a multi-disciplinary team comprising representatives from across the enterprise is the best way to ensure all aspects of cyber risk are assessed and each division or business unit is aware of its role, both in mitigation and response, should an incident occur.

Time to act

The danger to organisations posed by hackers and cyber-criminals is real and rising. Threats are becoming increasingly targeted and sophisticated, according to advice released by the Australian Cyber Security Centre in 2019. Business leaders surveyed for PwC’s 2018 Global Economic Crime and Fraud Survey: Australian Report flagged cyber-crime as the most disruptive economic crime of our era.

Taking an enterprise-wide approach to cyber-security, led by senior executives and administrators will help mitigate the risk for insurance businesses which are prepared to put the issue on the agenda in the boardroom, as well as in the IT shop.

The above was an opinion piece written by Phil Kernick, co-founder and chief technology officer at CQR Consulting. The views expressed within the article are not necessarily those of Insurance Business.